1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

really slow system - hijack this log

Discussion in 'Virus & Other Malware Removal' started by teesy, Oct 7, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. teesy

    teesy Thread Starter

    Joined:
    Oct 7, 2003
    Messages:
    6
    My system has been running tremendously slowly the past two or three days so i ran the hijack this program, could someone tell me what i need to get rid of? Thanks!!



    Logfile of HijackThis v1.97.2
    Scan saved at 09:18:13, on 07/10/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Norton Internet Security\NISUM.EXE
    D:\windows\system32\keybdcntl.exe
    D:\WINDOWS\System32\wjview.exe
    D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    D:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    D:\WINDOWS\System32\ezSP_Px.exe
    D:\WINDOWS\BQTray.exe
    D:\Program Files\Norton Internet Security\ccPxySvc.exe
    D:\windows\system32\win32gb.exe
    D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    D:\Program Files\Norton AntiVirus\navapsvc.exe
    D:\windows\system32\mscnt.exe
    D:\WINDOWS\System32\91028994.exe
    D:\WINDOWS\System32\ctfmon.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    D:\Program Files\Webshots\WebshotsTray.exe
    D:\Program Files\blueyonder IST\bin\mpbtn.exe
    D:\Program Files\Outlook Express\msimn.exe
    D:\Program Files\LimeShop\LimeShop.exe
    D:\WINDOWS\system32\mmc.exe
    D:\WINDOWS\system32\DfrgFat.exe
    D:\Program Files\Messenger\msmsgs.exe
    D:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\Documents and Settings\Teresa Banks\My Documents\My Received Files\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ewebsearch.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=132702
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=132702
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=132702
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgin.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ok-search.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin Net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F1 - win.ini: run=d:\windows\system32\keybdcntl.exe
    O1 - Hosts: 66.159.20.52 www1.ndhosting.com
    O1 - Hosts: 66.159.20.52 www3.ndhosting.com
    O1 - Hosts: 66.159.20.52 www2.ndhosting.com
    O1 - Hosts: 66.159.20.52 www.ndhosting.com
    O1 - Hosts: 66.159.20.52 www.kinghost.com
    O1 - Hosts: 66.159.20.52 kinghost.com
    O1 - Hosts: 66.159.20.52 www1.kinghost.com
    O1 - Hosts: 66.159.20.52 www2.kinghost.com
    O1 - Hosts: 66.159.20.52 www3.kinghost.com
    O1 - Hosts: 66.159.20.52 www4.kinghost.com
    O1 - Hosts: 66.159.20.52 www5.kinghost.com
    O1 - Hosts: 66.159.20.52 www6.kinghost.com
    O1 - Hosts: 66.159.20.52 www7.kinghost.com
    O1 - Hosts: 66.159.20.52 www8.kinghost.com
    O1 - Hosts: 66.159.20.52 www9.kinghost.com
    O1 - Hosts: 66.159.20.52 www10.kinghost.com
    O1 - Hosts: 66.159.20.52 www.smutserver.com
    O1 - Hosts: 66.159.20.52 smutserver.com
    O1 - Hosts: 66.159.20.52 www1.smutserver.com
    O1 - Hosts: 66.159.20.52 www2.smutserver.com
    O1 - Hosts: 66.159.20.52 www16.smutserver.com
    O1 - Hosts: 66.159.20.52 www3.smutserver.com
    O1 - Hosts: 66.159.20.52 www4.smutserver.com
    O1 - Hosts: 66.159.20.52 www5.smutserver.com
    O1 - Hosts: 66.159.20.52 www6.smutserver.com
    O1 - Hosts: 66.159.20.52 www7.smutserver.com
    O1 - Hosts: 66.159.20.52 www8.smutserver.com
    O1 - Hosts: 66.159.20.52 www9.smutserver.com
    O1 - Hosts: 66.159.20.52 www10.smutserver.com
    O1 - Hosts: 66.159.20.52 www11.smutserver.com
    O1 - Hosts: 66.159.20.52 www12.smutserver.com
    O1 - Hosts: 66.159.20.52 www13.smutserver.com
    O1 - Hosts: 66.159.20.52 www14.smutserver.com
    O1 - Hosts: 66.159.20.52 www15.smutserver.com
    O1 - Hosts: 66.159.20.52 www17.smutserver.com
    O1 - Hosts: 66.159.20.52 www18.smutserver.com
    O1 - Hosts: 66.159.20.52 www19.smutserver.com
    O1 - Hosts: 66.159.20.52 www20.smutserver.com
    O1 - Hosts: 66.159.20.52 www21.smutserver.com
    O1 - Hosts: 66.159.20.52 www22.smutserver.com
    O1 - Hosts: 66.159.20.52 www23.smutserver.com
    O1 - Hosts: 66.159.20.52 www24.smutserver.com
    O1 - Hosts: 66.159.20.52 www25.smutserver.com
    O1 - Hosts: 66.159.20.52 www26.smutserver.com
    O1 - Hosts: 66.159.20.52 www27.smutserver.com
    O1 - Hosts: 66.159.20.52 www28.smutserver.com
    O1 - Hosts: 66.159.20.52 www29.smutserver.com
    O1 - Hosts: 66.159.20.52 www30.smutserver.com
    O1 - Hosts: 66.159.20.52 www31.smutserver.com
    O1 - Hosts: 66.159.20.52 www32.smutserver.com
    O1 - Hosts: 66.159.20.52 agreathost.net
    O1 - Hosts: 66.159.20.52 www.agreathost.net
    O1 - Hosts: 66.159.20.52 hotfreehost.com
    O1 - Hosts: 66.159.20.52 www.hotfreehost.com
    O1 - Hosts: 66.159.20.52 greatfreehost.com
    O1 - Hosts: 66.159.20.52 www.greatfreehost.com
    O1 - Hosts: 66.159.20.52 freesmutpages.com
    O1 - Hosts: 66.159.20.52 www.freesmutpages.com
    O1 - Hosts: 66.159.20.52 apornhost.com
    O1 - Hosts: 66.159.20.52 www.apornhost.com
    O1 - Hosts: 66.159.20.52 nasty-pages.com
    O1 - Hosts: 66.159.20.52 www.nasty-pages.com
    O1 - Hosts: 66.159.20.52 sexyfreehost.com
    O1 - Hosts: 66.159.20.52 www.sexyfreehost.com
    O1 - Hosts: 66.159.20.52 x4web.com
    O1 - Hosts: 66.159.20.52 www.x4web.com
    O1 - Hosts: 66.159.20.52 sexplanets.com
    O1 - Hosts: 66.159.20.52 www.sexplanets.com
    O1 - Hosts: 66.159.20.52 maxismut.com
    O1 - Hosts: 66.159.20.52 www.maxismut.com
    O1 - Hosts: 66.159.20.52 tgpfriendly.com
    O1 - Hosts: 66.159.20.52 www.tgpfriendly.com
    O1 - Hosts: 66.159.20.52 tgp-server.com
    O1 - Hosts: 66.159.20.52 www.tgp-server.com
    O1 - Hosts: 66.159.20.52 magnaplza.com
    O1 - Hosts: 66.159.20.52 www.magnaplza.com
    O1 - Hosts: 66.159.20.52 free-xxx-server.com
    O1 - Hosts: 66.159.20.52 www.free-xxx-server.com
    O1 - Hosts: 66.159.20.52 libereco.net
    O1 - Hosts: 66.159.20.52 www.libereco.net
    O1 - Hosts: 66.159.20.52 0190-dialer.com
    O1 - Hosts: 66.159.20.52 www.0190-dialer.com
    O1 - Hosts: 66.159.20.52 xxxod.net
    O1 - Hosts: 66.159.20.52 www.xxxod.net
    O1 - Hosts: 66.159.20.52 altsights.com
    O1 - Hosts: 66.159.20.52 www.altsights.com
    O1 - Hosts: 66.159.20.52 adulthosting.com
    O1 - Hosts: 66.159.20.52 www.adulthosting.com
    O1 - Hosts: 66.159.20.52 superhova.com
    O1 - Hosts: 66.159.20.52 www.superhova.com
    O1 - Hosts: 66.159.20.52 bestpornhost.com
    O1 - Hosts: 66.159.20.52 www.bestpornhost.com
    O1 - Hosts: 66.159.20.52 hostingfree.com
    O1 - Hosts: 66.159.20.52 www.hostingfree.com
    O1 - Hosts: 66.159.20.52 xfreehosting.com
    O1 - Hosts: 66.159.20.52 www.xfreehosting.com
    O1 - Hosts: 66.159.20.52 blinghosting.com
    O1 - Hosts: 66.159.20.52 www.blinghosting.com
    O1 - Hosts: 66.159.20.52 x-x-x-hosting.com
    O1 - Hosts: 66.159.20.52 www.x-x-x-hosting.com
    O1 - Hosts: 66.159.20.52 pornparks.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - D:\WINDOWS\wsem215.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FLASHGET\jccatch.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\windows\googletoolbar_en_2.0.95-big.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - D:\WINDOWS\nem214.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\windows\googletoolbar_en_2.0.95-big.dll
    O4 - HKLM\..\Run: [MVRescue] C:\MVRescue\mvrescue quit
    O4 - HKLM\..\Run: [LimeShop] wjview /cp:p "D:\Program Files\LimeShop\System\Code" Main lp: "D:\Program Files\LimeShop"
    O4 - HKLM\..\Run: [EPSON Stylus C44 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
    O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LVCOMS] D:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [ezShieldProtector for Px] D:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [BurnQuick Queue] D:\WINDOWS\BQTray.exe
    O4 - HKLM\..\Run: [win32gb] d:\windows\system32\win32gb.exe /noconnect
    O4 - HKLM\..\Run: [FLOSVYCF] D:\WINDOWS\FLOSVYCF.exe
    O4 - HKLM\..\Run: [Keybdcntl] d:\windows\system32\keybdcntl.exe
    O4 - HKLM\..\Run: [Mscnt] d:\windows\system32\mscnt.exe /noconnect
    O4 - HKLM\..\Run: [83050173.exe] D:\WINDOWS\System32\83050173.exe
    O4 - HKLM\..\Run: [Ad-aware] D:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Winstart] C:\windows\winstart32.exe
    O4 - HKCU\..\RunServices: [Winstart] C:\windows\winstart32.exe
    O4 - HKCU\..\RunServices: [_BKP] C:\windows\_BKP.com
    O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: blueyonder Instant Support Tool.lnk = D:\Program Files\blueyonder IST\bin\matcli.exe
    O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://d:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://d:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://d:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
    O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: LimeShop Preferences - file://D:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O8 - Extra context menu item: Si&milar Pages - res://d:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://d:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .bcf: D:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/dlaccell.CAB
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://19.sharedsource.org/html/UDConn.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {785EA525-5066-495F-ADF6-3B8316515DEF} (Collapse Control) - http://mirror.worldwinner.com/games/v43/collapse/collapse.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) - http://xbs.sea.mtree.com/mt/dialers/fc/UniDist.CAB
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://64.246.54.111/download/videochat.exe
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Teresa....welcome to T.S.G:)

    Do this First.

    Download AdAware 6 181
    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and tick "Automaticly try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it.

    then
    Download Spybot - Search & Destroy from http://security.kolla.de

    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds that is marked in RED

    Run an online antivirus check from at least one of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/

    Then go here and download the QHosts removal tool.
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html
    Scroll down the page to the download link.

    then post a new hijackthis log to check what is left
     
  3. teesy

    teesy Thread Starter

    Joined:
    Oct 7, 2003
    Messages:
    6
    Ok, done all that (symantec found 20 infected files but didnt have a way to remove them, and norton doesnt see them at all/ trojan qhost didnt find anything) - here is the new hijackthis log:

    Logfile of HijackThis v1.97.2
    Scan saved at 11:37:58, on 07/10/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Norton Internet Security\NISUM.EXE
    D:\windows\system32\keybdcntl.exe
    D:\WINDOWS\System32\wjview.exe
    D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    D:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    D:\WINDOWS\System32\ezSP_Px.exe
    D:\WINDOWS\BQTray.exe
    D:\Program Files\Norton Internet Security\ccPxySvc.exe
    D:\windows\system32\win32gb.exe
    D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    D:\Program Files\Norton AntiVirus\navapsvc.exe
    D:\windows\system32\mscnt.exe
    D:\WINDOWS\System32\ctfmon.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    D:\Program Files\LimeShop\LimeShop.exe
    D:\Program Files\Messenger\msmsgs.exe
    D:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\Documents and Settings\Teresa Banks\My Documents\My Received Files\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgin.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin Net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F1 - win.ini: run=d:\windows\system32\keybdcntl.exe
    O1 - Hosts: 66.159.20.52 www1.ndhosting.com
    O1 - Hosts: 66.159.20.52 www3.ndhosting.com
    O1 - Hosts: 66.159.20.52 www2.ndhosting.com
    O1 - Hosts: 66.159.20.52 www.ndhosting.com
    O1 - Hosts: 66.159.20.52 www.kinghost.com
    O1 - Hosts: 66.159.20.52 kinghost.com
    O1 - Hosts: 66.159.20.52 www1.kinghost.com
    O1 - Hosts: 66.159.20.52 www2.kinghost.com
    O1 - Hosts: 66.159.20.52 www3.kinghost.com
    O1 - Hosts: 66.159.20.52 www4.kinghost.com
    O1 - Hosts: 66.159.20.52 www5.kinghost.com
    O1 - Hosts: 66.159.20.52 www6.kinghost.com
    O1 - Hosts: 66.159.20.52 www7.kinghost.com
    O1 - Hosts: 66.159.20.52 www8.kinghost.com
    O1 - Hosts: 66.159.20.52 www9.kinghost.com
    O1 - Hosts: 66.159.20.52 www10.kinghost.com
    O1 - Hosts: 66.159.20.52 www.smutserver.com
    O1 - Hosts: 66.159.20.52 smutserver.com
    O1 - Hosts: 66.159.20.52 www1.smutserver.com
    O1 - Hosts: 66.159.20.52 www2.smutserver.com
    O1 - Hosts: 66.159.20.52 www16.smutserver.com
    O1 - Hosts: 66.159.20.52 www3.smutserver.com
    O1 - Hosts: 66.159.20.52 www4.smutserver.com
    O1 - Hosts: 66.159.20.52 www5.smutserver.com
    O1 - Hosts: 66.159.20.52 www6.smutserver.com
    O1 - Hosts: 66.159.20.52 www7.smutserver.com
    O1 - Hosts: 66.159.20.52 www8.smutserver.com
    O1 - Hosts: 66.159.20.52 www9.smutserver.com
    O1 - Hosts: 66.159.20.52 www10.smutserver.com
    O1 - Hosts: 66.159.20.52 www11.smutserver.com
    O1 - Hosts: 66.159.20.52 www12.smutserver.com
    O1 - Hosts: 66.159.20.52 www13.smutserver.com
    O1 - Hosts: 66.159.20.52 www14.smutserver.com
    O1 - Hosts: 66.159.20.52 www15.smutserver.com
    O1 - Hosts: 66.159.20.52 www17.smutserver.com
    O1 - Hosts: 66.159.20.52 www18.smutserver.com
    O1 - Hosts: 66.159.20.52 www19.smutserver.com
    O1 - Hosts: 66.159.20.52 www20.smutserver.com
    O1 - Hosts: 66.159.20.52 www21.smutserver.com
    O1 - Hosts: 66.159.20.52 www22.smutserver.com
    O1 - Hosts: 66.159.20.52 www23.smutserver.com
    O1 - Hosts: 66.159.20.52 www24.smutserver.com
    O1 - Hosts: 66.159.20.52 www25.smutserver.com
    O1 - Hosts: 66.159.20.52 www26.smutserver.com
    O1 - Hosts: 66.159.20.52 www27.smutserver.com
    O1 - Hosts: 66.159.20.52 www28.smutserver.com
    O1 - Hosts: 66.159.20.52 www29.smutserver.com
    O1 - Hosts: 66.159.20.52 www30.smutserver.com
    O1 - Hosts: 66.159.20.52 www31.smutserver.com
    O1 - Hosts: 66.159.20.52 www32.smutserver.com
    O1 - Hosts: 66.159.20.52 agreathost.net
    O1 - Hosts: 66.159.20.52 www.agreathost.net
    O1 - Hosts: 66.159.20.52 hotfreehost.com
    O1 - Hosts: 66.159.20.52 www.hotfreehost.com
    O1 - Hosts: 66.159.20.52 greatfreehost.com
    O1 - Hosts: 66.159.20.52 www.greatfreehost.com
    O1 - Hosts: 66.159.20.52 freesmutpages.com
    O1 - Hosts: 66.159.20.52 www.freesmutpages.com
    O1 - Hosts: 66.159.20.52 apornhost.com
    O1 - Hosts: 66.159.20.52 www.apornhost.com
    O1 - Hosts: 66.159.20.52 nasty-pages.com
    O1 - Hosts: 66.159.20.52 www.nasty-pages.com
    O1 - Hosts: 66.159.20.52 sexyfreehost.com
    O1 - Hosts: 66.159.20.52 www.sexyfreehost.com
    O1 - Hosts: 66.159.20.52 x4web.com
    O1 - Hosts: 66.159.20.52 www.x4web.com
    O1 - Hosts: 66.159.20.52 sexplanets.com
    O1 - Hosts: 66.159.20.52 www.sexplanets.com
    O1 - Hosts: 66.159.20.52 maxismut.com
    O1 - Hosts: 66.159.20.52 www.maxismut.com
    O1 - Hosts: 66.159.20.52 tgpfriendly.com
    O1 - Hosts: 66.159.20.52 www.tgpfriendly.com
    O1 - Hosts: 66.159.20.52 tgp-server.com
    O1 - Hosts: 66.159.20.52 www.tgp-server.com
    O1 - Hosts: 66.159.20.52 magnaplza.com
    O1 - Hosts: 66.159.20.52 www.magnaplza.com
    O1 - Hosts: 66.159.20.52 free-xxx-server.com
    O1 - Hosts: 66.159.20.52 www.free-xxx-server.com
    O1 - Hosts: 66.159.20.52 libereco.net
    O1 - Hosts: 66.159.20.52 www.libereco.net
    O1 - Hosts: 66.159.20.52 0190-dialer.com
    O1 - Hosts: 66.159.20.52 www.0190-dialer.com
    O1 - Hosts: 66.159.20.52 xxxod.net
    O1 - Hosts: 66.159.20.52 www.xxxod.net
    O1 - Hosts: 66.159.20.52 altsights.com
    O1 - Hosts: 66.159.20.52 www.altsights.com
    O1 - Hosts: 66.159.20.52 adulthosting.com
    O1 - Hosts: 66.159.20.52 www.adulthosting.com
    O1 - Hosts: 66.159.20.52 superhova.com
    O1 - Hosts: 66.159.20.52 www.superhova.com
    O1 - Hosts: 66.159.20.52 bestpornhost.com
    O1 - Hosts: 66.159.20.52 www.bestpornhost.com
    O1 - Hosts: 66.159.20.52 hostingfree.com
    O1 - Hosts: 66.159.20.52 www.hostingfree.com
    O1 - Hosts: 66.159.20.52 xfreehosting.com
    O1 - Hosts: 66.159.20.52 www.xfreehosting.com
    O1 - Hosts: 66.159.20.52 blinghosting.com
    O1 - Hosts: 66.159.20.52 www.blinghosting.com
    O1 - Hosts: 66.159.20.52 x-x-x-hosting.com
    O1 - Hosts: 66.159.20.52 www.x-x-x-hosting.com
    O1 - Hosts: 66.159.20.52 pornparks.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FLASHGET\jccatch.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\windows\googletoolbar_en_2.0.95-big.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\windows\googletoolbar_en_2.0.95-big.dll
    O4 - HKLM\..\Run: [MVRescue] C:\MVRescue\mvrescue quit
    O4 - HKLM\..\Run: [EPSON Stylus C44 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
    O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LVCOMS] D:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [ezShieldProtector for Px] D:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [BurnQuick Queue] D:\WINDOWS\BQTray.exe
    O4 - HKLM\..\Run: [win32gb] d:\windows\system32\win32gb.exe /noconnect
    O4 - HKLM\..\Run: [FLOSVYCF] D:\WINDOWS\FLOSVYCF.exe
    O4 - HKLM\..\Run: [Keybdcntl] d:\windows\system32\keybdcntl.exe
    O4 - HKLM\..\Run: [Mscnt] d:\windows\system32\mscnt.exe /noconnect
    O4 - HKLM\..\Run: [83050173.exe] D:\WINDOWS\System32\83050173.exe
    O4 - HKLM\..\Run: [Ad-aware] D:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Winstart] C:\windows\winstart32.exe
    O4 - HKCU\..\RunServices: [Winstart] C:\windows\winstart32.exe
    O4 - HKCU\..\RunServices: [_BKP] C:\windows\_BKP.com
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: blueyonder Instant Support Tool.lnk = D:\Program Files\blueyonder IST\bin\matcli.exe
    O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://d:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://d:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://d:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
    O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: LimeShop Preferences - file://D:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O8 - Extra context menu item: Si&milar Pages - res://d:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://d:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .bcf: D:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/dlaccell.CAB
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://19.sharedsource.org/html/UDConn.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {785EA525-5066-495F-ADF6-3B8316515DEF} (Collapse Control) - http://mirror.worldwinner.com/games/v43/collapse/collapse.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
     
  4. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Ok it looks like there is a lot of work still to be done, and it may take a couple of attempts , but hang in there :D


    First things first, download and run coolwebshredder

    Restart Hijack this and put a check mark against the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F1 - win.ini: run=d:\windows\system32\keybdcntl.exe
    O1 - Hosts: 66.159.20.52 www1.ndhosting.com
    O1 - Hosts: 66.159.20.52 www3.ndhosting.com
    O1 - Hosts: 66.159.20.52 www2.ndhosting.com
    O1 - Hosts: 66.159.20.52 www.ndhosting.com
    O1 - Hosts: 66.159.20.52 www.kinghost.com
    O1 - Hosts: 66.159.20.52 kinghost.com
    O1 - Hosts: 66.159.20.52 www1.kinghost.com
    O1 - Hosts: 66.159.20.52 www2.kinghost.com
    O1 - Hosts: 66.159.20.52 www3.kinghost.com
    O1 - Hosts: 66.159.20.52 www4.kinghost.com
    O1 - Hosts: 66.159.20.52 www5.kinghost.com
    O1 - Hosts: 66.159.20.52 www6.kinghost.com
    O1 - Hosts: 66.159.20.52 www7.kinghost.com
    O1 - Hosts: 66.159.20.52 www8.kinghost.com
    O1 - Hosts: 66.159.20.52 www9.kinghost.com
    O1 - Hosts: 66.159.20.52 www10.kinghost.com
    O1 - Hosts: 66.159.20.52 www.smutserver.com
    O1 - Hosts: 66.159.20.52 smutserver.com
    O1 - Hosts: 66.159.20.52 www1.smutserver.com
    O1 - Hosts: 66.159.20.52 www2.smutserver.com
    O1 - Hosts: 66.159.20.52 www16.smutserver.com
    O1 - Hosts: 66.159.20.52 www3.smutserver.com
    O1 - Hosts: 66.159.20.52 www4.smutserver.com
    O1 - Hosts: 66.159.20.52 www5.smutserver.com
    O1 - Hosts: 66.159.20.52 www6.smutserver.com
    O1 - Hosts: 66.159.20.52 www7.smutserver.com
    O1 - Hosts: 66.159.20.52 www8.smutserver.com
    O1 - Hosts: 66.159.20.52 www9.smutserver.com
    O1 - Hosts: 66.159.20.52 www10.smutserver.com
    O1 - Hosts: 66.159.20.52 www11.smutserver.com
    O1 - Hosts: 66.159.20.52 www12.smutserver.com
    O1 - Hosts: 66.159.20.52 www13.smutserver.com
    O1 - Hosts: 66.159.20.52 www14.smutserver.com
    O1 - Hosts: 66.159.20.52 www15.smutserver.com
    O1 - Hosts: 66.159.20.52 www17.smutserver.com
    O1 - Hosts: 66.159.20.52 www18.smutserver.com
    O1 - Hosts: 66.159.20.52 www19.smutserver.com
    O1 - Hosts: 66.159.20.52 www20.smutserver.com
    O1 - Hosts: 66.159.20.52 www21.smutserver.com
    O1 - Hosts: 66.159.20.52 www22.smutserver.com
    O1 - Hosts: 66.159.20.52 www23.smutserver.com
    O1 - Hosts: 66.159.20.52 www24.smutserver.com
    O1 - Hosts: 66.159.20.52 www25.smutserver.com
    O1 - Hosts: 66.159.20.52 www26.smutserver.com
    O1 - Hosts: 66.159.20.52 www27.smutserver.com
    O1 - Hosts: 66.159.20.52 www28.smutserver.com
    O1 - Hosts: 66.159.20.52 www29.smutserver.com
    O1 - Hosts: 66.159.20.52 www30.smutserver.com
    O1 - Hosts: 66.159.20.52 www31.smutserver.com
    O1 - Hosts: 66.159.20.52 www32.smutserver.com
    O1 - Hosts: 66.159.20.52 agreathost.net
    O1 - Hosts: 66.159.20.52 www.agreathost.net
    O1 - Hosts: 66.159.20.52 hotfreehost.com
    O1 - Hosts: 66.159.20.52 www.hotfreehost.com
    O1 - Hosts: 66.159.20.52 greatfreehost.com
    O1 - Hosts: 66.159.20.52 www.greatfreehost.com
    O1 - Hosts: 66.159.20.52 freesmutpages.com
    O1 - Hosts: 66.159.20.52 www.freesmutpages.com
    O1 - Hosts: 66.159.20.52 apornhost.com
    O1 - Hosts: 66.159.20.52 www.apornhost.com
    O1 - Hosts: 66.159.20.52 nasty-pages.com
    O1 - Hosts: 66.159.20.52 www.nasty-pages.com
    O1 - Hosts: 66.159.20.52 sexyfreehost.com
    O1 - Hosts: 66.159.20.52 www.sexyfreehost.com
    O1 - Hosts: 66.159.20.52 x4web.com
    O1 - Hosts: 66.159.20.52 www.x4web.com
    O1 - Hosts: 66.159.20.52 sexplanets.com
    O1 - Hosts: 66.159.20.52 www.sexplanets.com
    O1 - Hosts: 66.159.20.52 maxismut.com
    O1 - Hosts: 66.159.20.52 www.maxismut.com
    O1 - Hosts: 66.159.20.52 tgpfriendly.com
    O1 - Hosts: 66.159.20.52 www.tgpfriendly.com
    O1 - Hosts: 66.159.20.52 tgp-server.com
    O1 - Hosts: 66.159.20.52 www.tgp-server.com
    O1 - Hosts: 66.159.20.52 magnaplza.com
    O1 - Hosts: 66.159.20.52 www.magnaplza.com
    O1 - Hosts: 66.159.20.52 free-xxx-server.com
    O1 - Hosts: 66.159.20.52 www.free-xxx-server.com
    O1 - Hosts: 66.159.20.52 libereco.net
    O1 - Hosts: 66.159.20.52 www.libereco.net
    O1 - Hosts: 66.159.20.52 0190-dialer.com
    O1 - Hosts: 66.159.20.52 www.0190-dialer.com
    O1 - Hosts: 66.159.20.52 xxxod.net
    O1 - Hosts: 66.159.20.52 www.xxxod.net
    O1 - Hosts: 66.159.20.52 altsights.com
    O1 - Hosts: 66.159.20.52 www.altsights.com
    O1 - Hosts: 66.159.20.52 adulthosting.com
    O1 - Hosts: 66.159.20.52 www.adulthosting.com
    O1 - Hosts: 66.159.20.52 superhova.com
    O1 - Hosts: 66.159.20.52 www.superhova.com
    O1 - Hosts: 66.159.20.52 bestpornhost.com
    O1 - Hosts: 66.159.20.52 www.bestpornhost.com
    O1 - Hosts: 66.159.20.52 hostingfree.com
    O1 - Hosts: 66.159.20.52 www.hostingfree.com
    O1 - Hosts: 66.159.20.52 xfreehosting.com
    O1 - Hosts: 66.159.20.52 www.xfreehosting.com
    O1 - Hosts: 66.159.20.52 blinghosting.com
    O1 - Hosts: 66.159.20.52 www.blinghosting.com
    O1 - Hosts: 66.159.20.52 x-x-x-hosting.com
    O1 - Hosts: 66.159.20.52 www.x-x-x-hosting.com
    O1 - Hosts: 66.159.20.52 pornparks.com
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FLASHGET\jccatch.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
    O4 - HKLM\..\Run: [MVRescue] C:\MVRescue\mvrescue quit
    O4 - HKLM\..\Run: [win32gb] d:\windows\system32\win32gb.exe /noconnect
    O4 - HKLM\..\Run: [FLOSVYCF] D:\WINDOWS\FLOSVYCF.exe
    O4 - HKLM\..\Run: [Keybdcntl] d:\windows\system32\keybdcntl.exe
    O4 - HKLM\..\Run: [Mscnt] d:\windows\system32\mscnt.exe /noconnect
    O4 - HKLM\..\Run: [83050173.exe] D:\WINDOWS\System32\83050173.exe
    O4 - HKCU\..\Run: [Winstart] C:\windows\winstart32.exe
    O4 - HKCU\..\RunServices: [Winstart] C:\windows\winstart32.exe
    O4 - HKCU\..\RunServices: [_BKP] C:\windows\_BKP.com
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: LimeShop Preferences - file://D:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/dlaccell.CAB
    O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://19.sharedsource.org/html/UDConn.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsol...ArcadeRdxIE.cab

    Click Fix Checked

    Restart your computer


    do yourself a big favour and unintall Flashget and Limewire

    If you must use a P2P at leaset use one of the spyware free ones, as listed here

    Go to C: Windows
    find, right click and delete _BKP.com

    Do the same to Winstart32.exe and


    Go to D:\Windows\System32 and delete 83050173.exe and mscnt.exe

    Restart your computer and post a new hijack this log
     
  5. teesy

    teesy Thread Starter

    Joined:
    Oct 7, 2003
    Messages:
    6
    i dont have a windows file on C drive, but couldnt find that file anyway. Here is the latest hijackthis log -

    Logfile of HijackThis v1.97.2
    Scan saved at 13:13:48, on 07/10/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    D:\Program Files\Norton Internet Security\NISUM.EXE
    D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    D:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    D:\WINDOWS\System32\ezSP_Px.exe
    D:\WINDOWS\BQTray.exe
    D:\WINDOWS\System32\81965273.exe
    D:\WINDOWS\System32\ctfmon.exe
    D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    D:\Program Files\Webshots\WebshotsTray.exe
    D:\Program Files\blueyonder IST\bin\mpbtn.exe
    D:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\Program Files\Outlook Express\msimn.exe
    D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    D:\Program Files\Norton AntiVirus\navapsvc.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Messenger\msmsgs.exe
    D:\Documents and Settings\Teresa Banks\My Documents\My Received Files\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgin.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin Net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\windows\googletoolbar_en_2.0.95-big.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\windows\googletoolbar_en_2.0.95-big.dll
    O4 - HKLM\..\Run: [EPSON Stylus C44 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
    O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LVCOMS] D:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [ezShieldProtector for Px] D:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [BurnQuick Queue] D:\WINDOWS\BQTray.exe
    O4 - HKLM\..\Run: [Ad-aware] D:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c
    O4 - HKLM\..\Run: [33657473.exe] D:\WINDOWS\System32\33657473.exe
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: blueyonder Instant Support Tool.lnk = D:\Program Files\blueyonder IST\bin\matcli.exe
    O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O8 - Extra context menu item: &Google Search - res://d:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://d:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://d:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://d:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://d:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .bcf: D:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/dlaccell.CAB
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {785EA525-5066-495F-ADF6-3B8316515DEF} (Collapse Control) - http://mirror.worldwinner.com/games/v43/collapse/collapse.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
     
  6. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Did you run cwshredder?
    Update Norton and run a fullscan of your D:\ Drive

    Restart Hijack this, put a check mark against the the following

    O4 - HKLM\..\Run: [33657473.exe] D:\WINDOWS\System32\33657473.exe

    Click Fix Checked

    Restart your computer in Safe Mode (Press F8 at Start up

    Look for a file called Hosts, right click and delete it

    Find the following files in D:\WINDOWS\System32

    33657473.exe
    81965273.exe

    and delete them
     
  7. normmork

    normmork

    Joined:
    Oct 4, 2002
    Messages:
    76
  8. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Teresa.............after you do what puta advised,post another H/T log,weve had trouble with this particular polymorphic file.
    If its still around on the next logfile there is another sure fire way of deleting it.

    good luck

    ;)
     
  9. teesy

    teesy Thread Starter

    Joined:
    Oct 7, 2003
    Messages:
    6
    Hi, run everything as requested and here is the hijack this log. Most things are now fixed, its just if i try to open outlook express within the first few minutes after booting up it takes ages to open.



    Logfile of HijackThis v1.97.2
    Scan saved at 12:46:52, on 20/10/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    D:\Program Files\Norton Internet Security\NISUM.EXE
    D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    D:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    D:\WINDOWS\System32\ezSP_Px.exe
    D:\WINDOWS\BQTray.exe
    D:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    D:\WINDOWS\System32\54084414.exe
    D:\WINDOWS\System32\ctfmon.exe
    D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    D:\Program Files\Webshots\WebshotsTray.exe
    D:\Program Files\blueyonder IST\bin\mpbtn.exe
    D:\Program Files\Outlook Express\msimn.exe
    D:\Program Files\MSN Messenger\msnmsgr.exe
    D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    D:\Program Files\Norton AntiVirus\navapsvc.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\Documents and Settings\Teresa Banks\My Documents\My Received Files\hijackthis\HijackThis.exe
    D:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgin.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin Net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - D:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - D:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\windows\googletoolbar_en_2.0.95-big.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\windows\googletoolbar_en_2.0.95-big.dll
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - D:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O4 - HKLM\..\Run: [EPSON Stylus C44 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
    O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LVCOMS] D:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [ezShieldProtector for Px] D:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [BurnQuick Queue] D:\WINDOWS\BQTray.exe
    O4 - HKLM\..\Run: [Ad-aware] D:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c
    O4 - HKLM\..\Run: [WT GameChannel] D:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] D:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [36477297.exe] D:\WINDOWS\System32\36477297.exe
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: blueyonder Instant Support Tool.lnk = D:\Program Files\blueyonder IST\bin\matcli.exe
    O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O8 - Extra context menu item: &Google Search - res://d:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://d:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://d:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://d:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://d:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .bcf: D:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/dlaccell.CAB
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {785EA525-5066-495F-ADF6-3B8316515DEF} (Collapse Control) - http://mirror.worldwinner.com/games/v43/collapse/collapse.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver/ddc/shockwave/wtinst.cab
     
  10. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Hi Teresa:)
    Conrol/Alt/Delete and end task this one.
    54084414.exe
    And if this 36477297.exe is there or any random numbered file
    Do the same....close task manager and then re-open it to check if they are still halted.

    Now without re-booting fix these with H/T

    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - D:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - D:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - D:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] D:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

    O4 - HKLM\..\Run: [36477297.exe] D:\WINDOWS\System32\36477297.exe

    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

    O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/...wave/wtinst.cab


    Now find and delete these:
    D:\WINDOWS\System32\36477297.exe
    D:\WINDOWS\System32\54084414.exe
    D:\Program Files\MyWebSearch

    Re-boot and post back with another log.

    ;)
     
  11. sloloco

    sloloco

    Joined:
    Oct 15, 2003
    Messages:
    9
    Man there is a lot of porn sites in that Hi jack! LOL
     
  12. Deathdealer

    Deathdealer Guest

    ya...dirty
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/170115

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice